Palo Alto Networks Security Advisories / PAN-SA-2015-0005

PAN-SA-2015-0005 Device management authentication bypass

047910
Severity 9.8 · CRITICAL
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

Devices running PAN-OS 7.0.0 (including Panorama) that are configured to use LDAP for captive portal or device management authentication do not properly perform authentication against the LDAP server in specific cases, leading to an authentication bypass. There is no issue if you are using Radius or local authentication instead of LDAP or prior versions of PAN-OS; nor does this affect authentication attempts from GlobalProtect clients.

This vulnerability can lead to authentication bypass for captive portal or device management login attempts.

This issue only affects PAN-OS 7.0.0

Product Status

VersionsAffectedUnaffected
PAN-OS 7.07.0.0>= 7.0.1

Severity: CRITICAL

CVSSv3.1 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

Solution

PAN-OS 7.0.1 and subsequent.

Workarounds and Mitigations

This issue only affects devices and Panorama configured to use LDAP for captive portal or device management authentication. This issue is strongly mitigated by following security appliance management best practices, requiring that network access to the management interfaces be isolated and strictly limited only to security administration personnel.

© 2020 Palo Alto Networks, Inc. All rights reserved.